• United States




5 InfoSec concerns for colleges and universities

Jun 14, 20164 mins
Endpoint ProtectionInternet SecuritySecurity

Higher education institutions are a prime target for cybercriminals, and IT needs resources to prevent attacks and provide a proper level of security

No industry or sector is immune to data breaches, but some are targeted more often than others. Education came ahead of government, retail and financial sectors, and it was second only to healthcare on Trend Micro’s list of the most-breached industries.

With more than 500 security breaches across 320 higher education institutions since 2005, higher ed accounts for 35 percent of all breaches, according to an enlightening infographic from SysCloud.

Universities and colleges are a high-priority target for a number of reasons:

  • They may be easier to attack than other sectors.
  • They store millions of records with lots of personally identifiable information.
  • They store valuable research and intellectual property.
  • They can provide sideways access into more secure organizations.
  • High-speed networks and massive computation ability make them an excellent platform for attacking others.
  • They operate highly decentralized IT environments.

The list goes on, so it’s no wonder that concerns are being raised. Let’s drill into the top five InfoSec concerns for higher education.

1. Malware

The potential exposure to malware for educational institutions is massive. A huge range of devices have access to networks and systems at universities and colleges. Students and teaching staff use university computers to check personal email, update social media, shop, watch movies and download all sorts of files.

+ Also on Network World: MIT scores worst in cybersecurity +

It’s difficult for IT to keep track of all the traffic and ensure nothing untoward makes it onto the network. In too many cases, they lack the necessary tools to detect and respond to attacks. Building malware defenses is vital, but detection and remediation is also often neglected. When malware isn’t caught quickly and dealt with, it has a chance to burrow deeper.

2. Exploits in database systems and servers

Many universities and colleges employ monolithic internal database systems that may be easy to exploit. Simply identifying and patching all known exploits on institution servers can be a challenge when resources are tight. Many of these systems were built without security in mind, so retro-fitting security protocols can be tricky, but it must be done. Known exploits are an easy inroad for cybercriminals and there are many different endpoints that offer access.

3. Phishing attacks

It’s often easier for attackers to trick people into handing over login details and other sensitive data than it is to gain access by other means. Phishing attacks are growing more and more sophisticated and spreading from email to social media and beyond. Students and teaching staff need to be educated on the risks of clicking links in emails or responding to unverified requests. But that alone won’t be enough to stop successful phishing attacks. Education must be backed up by real-time monitoring and scanning tools that can identify suspicious behavior and traffic and flag it.

4. Vulnerabilities in websites and servers

Without vulnerability management, many universities and colleges leave themselves open to external attack through websites and servers. Cybercriminals can exploit known vulnerabilities quite easily. It’s important to take steps to identify them, but also to create a remediation plan that can patch systems as necessary and close these potential points of access.

5. Device management

Personal devices flood most universities and colleges. Smartphones, laptops, tablets, USB thumb drives and wearables are growing more and more common. There are also risks from network-attached devices such as printers, copiers, scanners and laboratory devices. As the Internet of Things continues to take off, surveillance systems, HVAC systems, vending machines and door controls also have to be taken into account.

Creating a complete picture of the devices that have access to networks and controlling that access carefully is important, but it’s not an easy task.

Closing the door

There’s a lot of work to be done to tighten information security at higher ed institutions. Data classification would help to define the sensitivity of instructional data, encryption should be used far more often for data in transit or at rest, and risk assessments are urgently required to identify critical assets and protect them, but also to ensure compliance with regulatory requirements.

Gathering this data should give staff the ammunition it needs to graduate to higher IT security budgets. Because without more resources, the proper level of security will be impossible to achieve. InfoSec can’t afford to go on sabbatical.

The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.


Michelle Drolet is a seasoned security expert with 26 years of experience providing organizations with IT security technology services. Prior to founding Towerwall (formerly Conqwest) in 1993, she founded CDG Technologies, growing the IT consulting business from two to 17 employees in its first year. She then sold it to a public company and remained on board. Discouraged by the direction the parent company was taking, she decided to buy back her company. She re-launched the Framingham-based company as Towerwall. Her clients include Biogen Idec, Middlesex Savings Bank, PerkinElmer, Raytheon, Smith & Wesson, Covenant Healthcare and many mid-size organizations.

A community activist, she has received citations from State Senators Karen Spilka and David Magnani for her community service. Twice she has received a Cyber Citizenship award for community support and participation. She's also involved with the School-to-Career program, an intern and externship program, the Women’s Independent Network, Young Women and Minorities in Science and Technology, and Athena, a girl’s mentorship program.

Michelle is the founder of the Information Security Summit at Mass Bay Community College. Her numerous articles have appeared in Network World, Cloud Computing, Worcester Business Journal, SC Magazine, InfoSecurity,, Web Security Journal and others.

The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.